Add tests

Jigsaw-Code · Oct 26, 2023 · b9e9e41 · b9e9e41
1 parent 164559a
commit b9e9e41
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 9 deletions.
diff --git a/transport/tls/stream_dialer.go b/transport/tls/stream_dialer.go
@@ -80,10 +80,6 @@ type clientConfig struct {
 
 // ToStdConfig creates a [tls.Config] based on the configured parameters.
 func (cfg *clientConfig) ToStdConfig() *tls.Config {
-	certificateName := cfg.CertificateName
-	if certificateName == "" {
-		certificateName = cfg.ServerName
-	}
 	return &tls.Config{
 		ServerName:         cfg.ServerName,
 		NextProtos:         cfg.NextProtos,
@@ -97,7 +93,7 @@ func (cfg *clientConfig) ToStdConfig() *tls.Config {
 			// And the documentation example:
 			// https://pkg.go.dev/crypto/tls#example-Config-VerifyConnection
 			opts := x509.VerifyOptions{
-				DNSName:       certificateName,
+				DNSName:       cfg.CertificateName,
 				Intermediates: x509.NewCertPool(),
 			}
 			for _, cert := range cs.PeerCertificates[1:] {
@@ -122,7 +118,7 @@ func WrapConn(ctx context.Context, conn transport.StreamConn, remoteAdr string,
 	if err != nil {
 		return nil, fmt.Errorf("could not resolve port: %w", err)
 	}
-	cfg := clientConfig{ServerName: host}
+	cfg := clientConfig{ServerName: host, CertificateName: host}
 	for _, option := range options {
 		option(host, port, &cfg)
 	}
@@ -135,6 +131,8 @@ func WrapConn(ctx context.Context, conn transport.StreamConn, remoteAdr string,
 }
 
 // WithSNI sets the host name for [Server Name Indication](https://datatracker.ietf.org/doc/html/rfc6066#section-3) (SNI)
+// If absent, defaults to the dialed hostname.
+// Note that this only changes what is sent in the SNI, not what host is used for certificate verification.
 func WithSNI(hostName string) ClientOption {
 	return func(_ string, _ int, config *clientConfig) {
 		config.ServerName = hostName
@@ -156,8 +154,8 @@ func WithSessionCache(sessionCache tls.ClientSessionCache) ClientOption {
 	}
 }
 
-// WithCertificateName sets the hostname to be used for the certificate validation.
-// If absent, defaults to SNI.
+// WithCertificateName sets the hostname to be used for the certificate cerification.
+// If absent, defaults to the dialed hostname.
 func WithCertificateName(hostname string) ClientOption {
 	return func(_ string, _ int, config *clientConfig) {
 		config.CertificateName = hostname

diff --git a/transport/tls/stream_dialer_test.go b/transport/tls/stream_dialer_test.go
@@ -22,7 +22,47 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestDomainFronting(t *testing.T) {
+func TestDomain(t *testing.T) {
+	sd, err := NewStreamDialer(&transport.TCPStreamDialer{})
+	require.NoError(t, err)
+	conn, err := sd.Dial(context.Background(), "dns.google:443")
+	require.NoError(t, err)
+	conn.Close()
+}
+
+func TestIP(t *testing.T) {
+	sd, err := NewStreamDialer(&transport.TCPStreamDialer{})
+	require.NoError(t, err)
+	conn, err := sd.Dial(context.Background(), "8.8.8.8:443")
+	require.NoError(t, err)
+	conn.Close()
+}
+
+func TestIPOverride(t *testing.T) {
+	sd, err := NewStreamDialer(&transport.TCPStreamDialer{}, WithCertificateName("8.8.8.8"))
+	require.NoError(t, err)
+	conn, err := sd.Dial(context.Background(), "dns.google:443")
+	require.NoError(t, err)
+	conn.Close()
+}
+
+func TestFakeSNI(t *testing.T) {
+	sd, err := NewStreamDialer(&transport.TCPStreamDialer{}, WithSNI("decoy.example.com"))
+	require.NoError(t, err)
+	conn, err := sd.Dial(context.Background(), "dns.google:443")
+	require.NoError(t, err)
+	conn.Close()
+}
+
+func TestNoSNI(t *testing.T) {
+	sd, err := NewStreamDialer(&transport.TCPStreamDialer{}, WithSNI(""))
+	require.NoError(t, err)
+	conn, err := sd.Dial(context.Background(), "dns.google:443")
+	require.NoError(t, err)
+	conn.Close()
+}
+
+func TestAllCustom(t *testing.T) {
 	sd, err := NewStreamDialer(&transport.TCPStreamDialer{}, WithSNI("decoy.android.com"), WithCertificateName("www.youtube.com"))
 	require.NoError(t, err)
 	conn, err := sd.Dial(context.Background(), "www.google.com:443")